Eurocrypt 2000Security of 3GPP networks1 On the Security of 3GPP Networks Michael Walker Vodafone AirTouch & Royal Holloway, University of London Chairman.

Similar presentations

Presentation on theme: "Eurocrypt 2000Security of 3GPP networks1 On the Security of 3GPP Networks Michael Walker Vodafone AirTouch & Royal Holloway, University of London Chairman."— Presentation transcript:

3
Eurocrypt 2000Security of 3GPP networks2 Acknowledgements This presentation is based on the technical specifications and reports produced by the members of 3GPP SA3 and ETSI SAGE available from http://www.3gpp.org Much of the back ground work was done as part of the EU funded ACTS project USECA the partners are Vodafone, G&D, Panasonic, Siemens Atea, Siemens AG & Katholieke Universiteit Leuven http://www.useca.freeserve.co.uk

4
Eurocrypt 2000Security of 3GPP networks3 Principles for 3G Security Build on the security of GSM adopt the security features from GSM that have proved to be needed and robust try to ensure compatibility with GSM in order to ease inter-working and handover Correct the problems with GSM by addressing its real and perceived security weaknesses Add new security features as are necessary to secure new services offered by 3G to take account of changes in network architecture

7
Eurocrypt 2000Security of 3GPP networks6 Limitations of GSM Security Problems with GSM security stem by and large from design limitations on what is protected rather than on defects in the security mechanisms themselves only provides access security - communications and signalling in the fixed network portion aren’t protected does not address active attacks, whereby network elements may be impersonated designed to be only as secure as the fixed networks to which they connect lawful interception only considered as an after thought

8
Eurocrypt 2000Security of 3GPP networks7 Limitations of GSM Security, 2 Failure to acknowledge limitations encryption needed to guard against radio channel hijack the terminal is an unsecured environment - so trust in the terminal identity is misplaced Inadequate flexibility to upgrade and improve security functions over time Lack of visibility that the security is being applied no indication to the user that encryption is on no explicit confirmation to the home network that authentication is properly used when customers roam

9
Eurocrypt 2000Security of 3GPP networks8 Limitations of GSM Security, 3 Lack of confidence in cryptographic algorithms lack of openness in design and publication of A5/1 misplaced belief by regulators in the effectiveness of controls on the export or (in some countries) the use of cryptography key length too short, but some implementation faults make increase of encryption key length difficult need to replace A5/1, but poor design of support for simultaneous use of more than one encryption algorithm, is making replacement difficult ill advised use of COMP 128

10
Eurocrypt 2000Security of 3GPP networks9 Specific GSM Security Problems Encryption terminated too soon user traffic and signalling in clear on microwave links Clear transmission of cipher keys & authentication values within and between networks signalling system vulnerable to interception and impersonation Confidence in strength of algorithms failure to choose best authentication algorithms improvements in cryptanalysis of A5/1 Use of false base stations

11
Eurocrypt 2000Security of 3GPP networks10 False Base Stations Used as IMSI Catcher for law enforcement Used to intercept mobile originated calls encryption controlled by network and user unaware if it is not on Dynamic cloning risk in networks where encryption is not used

24
Eurocrypt 2000Security of 3GPP networks23 Security Parameters & Choices START(32bits) initial hyperframe number used to initialise COUNT-C/I assures user MAC-I is fresh START stored/updated USIM CKSN(3 bits)cipher key sequence number indicates the key set that is stored in USIM when START exceeds a certain threshold, CKSN can be used to trigger a new AKA FRESH(32 bits) network nonce assures network MAC-I fresh AKA is performed when the user enters a new SN the user indicates that a new AKA is required when the amount of data ciphered with CK has reached a threshold the serving network decides Otherwise integrity-key based authentication Selection of UEA and UIA by user/user’s home environment

29
Eurocrypt 2000Security of 3GPP networks28 General Approach to Design Robust approach to exportability - full strength algorithm and expect agencies to fall into line ETSI SAGE appointed as design authority Take existing algorithm as starting point Use block cipher as building block for both algorithms - MISTY1 chosen: fairly well studied, some provable security aspects parameter sizes suitable designed to be efficient in hardware and software offered by Mitsubishi free from royalty payments